Feb 13, 2013 by Jeff Falk

The deployment of the "Shamoon" computer virus against the Saudi Arabian Oil Co. last year was an important new development in international cyber conflict. Shamoon must put all providers of critical services on alert and requires concerted action by governments and private interests, according to a new working paper from Rice University's Baker Institute for Public Policy and the International Institute for Strategic Studies (IISS) in Manama, Bahrain.

The paper, "Hack or Attack? Shamoon and the Evolution of Cyber Conflict," was co-authored by Christopher Bronk, a fellow in information technology policy at the Baker Institute, and Eneken Tikk-Ringas, a senior fellow for cybersecurity at the IISS. The paper documents the Shamoon case and considers its impact on broader policymaking regarding the Middle East, energy and cybersecurity issues. The paper has been approved for publication in the March issue of the journal Survival, Global Politics and Strategy.

"Although the Shamoon attack did not result in any physical damage to critical infrastructure in the Middle East, there has been a secondary impact on risk assessment for providers of critical services worldwide," Bronk said. "Shamoon is a reminder that enterprises need to be alert about the possibility of becoming the target of a politically motivated cyberincident."

On Aug. 15, 2012, the Saudi Arabian Oil Co. (also known as Saudi Aramco) was struck by a computer virus that possibly spread across as many as 30,000 Windows-based personal computers operating on the company's network. The company is Saudi Arabia's national petroleum concern and a producer, manufacturer, marketer and refiner of crude oil, natural gas and petroleum products. According to news sources, it may have taken Aramco almost two weeks to fully restore its network and recover from the disruption of its daily business operations caused by data loss and disabled workstations resulting from the incident. The computer security research community dubbed the virus Shamoon.

While Aramco leadership has asserted that production was unaffected, the authors said there are important questions from the Shamoon case germane to other players in oil and gas and elsewhere in industry. "But the critical point for policy is how government, commercial actors, the international system and other players share and manage cyberincident risk," Bronk said. "Shamoon identifies just how broadly a major cyberattack can impact key national capabilities and concerns."

The authors argue that the Shamoon incident calls for a review and refinement of critical infrastructure policies (CIP) and joint efforts between governments and private interests.

"Developing working public-private partnerships in CIP is a challenging task, as it requires very careful consideration by government of relevant business goals and processes as well as appreciation of the governmental threat assessment logic and the required supervisory steps by the private sector," Tikk-Ringas said. "Although the need for public-private protection and defense models has been acknowledged, the policy goals and business routines are difficult to marry without resistance." She said a plan of action for achieving a working CIP model will need a balanced role division.

The authors said cyberattacks against critical infrastructure are unlikely to go unnoticed, and therefore, an appropriate response is in order. "This raises the questions of strategic communications, decision-making about who responds to which aspects of the incident and how," Tikk-Ringas said. "Such transgressions challenge national security and raise the questions of use of force considered by lawyers of international conflict. Therefore, responses to CI cyberincidents matter from both national authority and general deterrence perspectives and, in the light of the Aramco-Shamoon incident, require special attention by enterprises, governments and international organizations alike."

Related Stories

(Phys.org)—Energy firms have spent vast sums on the security of their information systems, but they must reorient from a reactive, tactical posture regarding intrusions and attacks to a more strategic, holistic view that ...

(Phys.org) -- A new computer virus is leaving security experts asking what could be the motive and where is the sourcebut one suspicion is that it is targeting infrastructure in the energy industry. ...

(AP)—Security technicians are beginning to suspect that highly targeted virus attacks were behind the recent crippling of computer systems at two major Gulf energy companies, even as questions swirl about ...

Recommended for you

A unanimous Supreme Court ruled Tuesday that federal courts can hear a dispute over Colorado's Internet tax law. One justice suggested it was time to reconsider the ban on state collection of sales taxes from companies outside ...

Hillary Rodham Clinton used a personal email account during her time as secretary of state, rather than a government-issued email address, potentially hampering efforts to archive official government documents ...